Perpetual IT

Stop us if you’ve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.

Named CallStranger by discoverer Yunus Çadırcı, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that it’s UPnP.

UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking.

UPnP meant users didn’t have to know how to configure router ports – if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.

But UPnP also allowed more and more devices inside the network to connect to external entities on the internet with no authentication, which is where the trouble started.

Enter CallStranger (CVE-2020-12695), technically a vulnerability in UPnP’s SUBSCRIBE function that makes possible what Çadırcı describes as a “Server Side Request Forgery (SSRF)-like vulnerability.”

An attacker able to exploit this flaw could use it to co-opt vulnerable devices for DDoS attacks, bypass data loss prevention security to sneak data out of networks, and possibly carry out port scanning to probe for exposed UPnP devices.

Which devices are affected?

Potentially large numbers of devices with UPnP enabled, which includes home routers, modems, smart TVs, printers, cameras, and media gateways. It’s also been enabled on a lot of what might loosely be called Internet of Things (IoT) products, as well as major operating systems such as Windows 10, and even the Xbox games console.

A list of known and suspected vulnerable devices is available on the CallStranger publicity website, but it would be wise not to assume this is definitive (a script is available to poll the network for vulnerable devices).

The one UPnP stack that isn’t affected is MiniUPnP, which is used in a sizable chunk of home routers. The problem is it’s not easy to tell which devices use this and which don’t.

Windows 10 1903 build 10.0.18362.719 is said to be vulnerable, which for consumers would have been updated to 10.0.18363.836 in May.

Çadırcı reported the flaw to the group that looks after UPnP, the Open Connectivity Foundation (OCF), in December, and says he’s since sent and received hundreds of emails as part of the effort to coordinate a vendor response.

The OCF updated the UPnP specification on 17 April, which means that devices designed after that shouldn’t be vulnerable to the issue. Çadırcı does say:

Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source.

Nevertheless, billions of UPnP devices will still need to be patched. In some cases that will happen but don’t hold your breath; many vulnerable devices will probably either never receive an update or will receive one that won’t be applied.

That’s why it’s important to mitigate the problem by at least turning UPnP off if it’s not being used, something Naked Security has recommended after previous UPnP scares.  How users do this will vary from device to device but for routers the setting will be buried somewhere in the web interface settings.

Those include the UPnProxy attack on routers uncovered by Akamai in 2018, the Pinkslipbot (aka QakBot/QBot) malware in 2017, and HD Moore’s Unplug Don’t Play vulnerabilities in 2013 (the latter echoing the infamous Conficker worm of 2008).

Remember cryptojacking?

That’s where websites would insert JavaScript software that mined cryptocurrency into web pages that you visited so that as long as you stayed on the page, your computer would be churning away, mining cryptocoins…

…on behalf of someone else.

Cryptojackers didn’t need to hack thousands of computers and install malware on every one of them – they could hack one web server and potentially run their money-making JavaScript software in thousands or even millions of browsers as innocent visitors visited that website.

In short, cryptojacking was a surprisingly simple, cross-platform, cloud-based way to steal other people’s processing power.

There was even a short-lived attempt to commercialise (and therefore to legitimise) cryptojacking, where websites could invite you to opt in to receive cryptomining JavaScript as you browsed in lieu of paying a subscription fee or as an alternative to ads.

But the system never worked out and has almost entirely been abandoned now by cybercrooks and legitimate websites alike.

The main snag was that browser-based cryptomining needed so much CPU power that any website that tried it became as good as unusable by visitors, whose browsers would bog down completely (and whose laptop cooling fans would fire up noisily in complaint), all in return for a negligible cryptocoin payout.

The economics just didn’t work out.

Visitors learned to avoid websites that tried to use it; most anti-virus software routinely started stripping out cryptocoin mining JavaScript anyway; the best-known service trying to commercialise browser-based mining shut down; and that, for many people, was that.

Because of the failure of browser-based cryptojacking in both its legitimate and criminal forms, it’s easy to assume that unlawful cryptomining has died out altogether and that cybercrooks have dropped this sort of attack from their arsenal entirely in favour of bigger money-earners such as ransomware and data theft.

Sadly, however, unlawful cryptomining is still a thing, and SophosLabs has just published a report that follows the evolution and operation of the cybercrime gang behind a botnet known as Kingminer.

Botnets, also known as zombie networks, are collections of infected computers that regularly call home to a single group of crooks to await further instructions, meaning in theory that the crooks who control a botnet could use the computers ensnared in it for almost any cybercriminal activity they wanted.

That could include stealing data, watching you on your webcam, snooping on your typing and browsing, sending out vast volumes of spam, using your computer as a jumping-off point to attack other people…

…or operating a giant pool of cryptomining computers.

Cryptomining seems to be the top activity in the Kingminer gang’s playbook, and they’re not targeting home users with laptops but instead going after company networks and all the computers on them.

Even with offices in many countries closed due to coronavirus regulations, company networks are still running, and those networks often contain lots of juicy servers that make an attractive target for cryptomining malware.

After all, servers have two desirable properties for cryptomining abuse, namely that they’re always on, so any unauthorised mining runs 24/7, and they’re usually much more powerful than the average laptop, so the crooks can dial in decent earnings without taking over the server so completely that they get noticed.

The Kingminer gang

The new Kingminer report makes fascinating reading because it delves into the malware delivery system that the crooks in this gang have been evolving and using for several years now.

In the report, you will:

• Learn how the crooks get into your network in the first place. These crooks seems to favour brute-force password attacks against RDP and SQL servers, combined with unpatched exploits such as BlueKeep (a way to break in to vulnerable RDP servers without a password) and ETERNALBLUE (a way into Windows networking without a password).
• Learn how the crooks guard their turf. These crooks make sure you are patched against BlueKeep once they’re in by downloading and installing any missing updates for you. This stops rivals following them onto your network later.
• Learn how the crooks download their latest attack tools. The crooks employ what’s called a domain generation algorithm (DGA) that automatically comes up with a new website name to use for downloads each week. Unless you know the DGA, it’s hard to guess what download names the crooks will be registering and using for their next attack. They also make use of popular software distribution sites like Githhub to host their attack software, moving onto to new accounts as the old ones are identified and shut down.
• Learn how the crooks launch their chosen cryptomining code. This gang uses a variety of tricks to download and launch their final malware payload. For example, instead of loading their malware programs directly, they’ll install legitimate programs and trick those programs into loading their malware files as DLLs. Or they’ll create malware to look like a Control Panel applet so it can be loaded by an official Windows program instead.
• Learn how the crooks are keeping their options open. SophosLabs was able to dig around amongst the other tools that the Kingminer gang currently have up their sleeves. Although their activities seem to go mainly around illegal cryptomining, our researchers found they have an unhealthy interest in remote access and backdoor Trojans, Linux malware and password stealing tools, too.

Learn more by reading the full report.

Latest Naked Security podcast

Facebook last week began slapping “state controlled” labels on media outlets that it’s determined are under the thumb of a government.

With the labels, Facebook is enacting a policy it announced in October. That’s when the platform introduced new election security measures, including a promise to increase transparency by showing the confirmed owner of a Page and by labeling state-controlled media on their Page and in the platform’s Ad Library.

This is just one of many efforts it’s taken in the run-up to the 2020 US presidential election, as it tries to stem a renewed onslaught of the foreign tinkering that was seen in 2016. Not that the meddling has gone anywhere, mind you. Within days of the October announcement, Facebook said that it had pulled fake news networks linked to Russia and Iran.

According to NPR, as of Thursday’s announcement, Pages and posts from at least 18 media outlets had been labelled “state-controlled media,” including Russia Today, Russia’s Sputnik News, China’s People’s Daily, China Xinhua News, and Iran’s Press TV. The Facebook Pages for all of the outlets are now carrying transparency notices that advise users that they’re “wholly or partially under the editorial control of a state,” as determined by factors including funding, structure and journalistic standards.

Here are examples of what those labels look like:

Facebook’s head of cybersecurity policy, Nathaniel Gleicher, said in a post that the platform came up with its criteria for what constitutes “state controlled” media after consulting with more than 65 worldwide experts in media, governance, and human rights and development. It’s taken this move so people will know when the news they read is under a government’s influence, Gleicher said:

We’re providing greater transparency into these publishers because they combine the influence of a media organization with the strategic backing of a state, and we believe people should know if the news they read is coming from a publication that may be under the influence of a government.

Determining that a news outlet is state controlled goes beyond figuring out who controls the pursestrings, Gleicher said. There are other ways to exert editorial control besides funding mechanisms, such as:

• Mission statement, mandate, and/or public reporting on how the organization defines and accomplishes its journalistic mission
• Ownership structure such as information on owners, stakeholders, board members, management, government appointees in leadership positions, and disclosure of direct or indirect ownership by entities or individuals holding elected office
• Editorial guidelines such as transparency around sources of content and independence and diversity of sources
• Information about newsroom leadership and staff
• Sources of funding and revenue
• Governance and accountability mechanisms such as correctional policies, procedure for complaints, external assessments and oversight boards

In coming months, Facebook will also begin barring state-controlled outlets from buying advertising in the US. Gleicher noted that these outlets “rarely” advertise in the US. The move to bar foreign ad-buying comes from “an abundance of caution to provide an extra layer of protection against various types of foreign influence in the public debate” ahead of the 2020 presidential election in November, he said.

The labels will initially be shown to US Facebook users and will roll out to other countries over time. They’ll appear globally in the Ad Library Page view, on Pages, and in the Page Transparency section. In the US, the label started appearing on posts in News Feed over the week following the announcement.

Will US media get labeled as state-controlled?

No, it won’t. While Facebook says Iran, Russia and China have state-controlled outlets, it’s decided that the US does not, given that the country has press freedom. In an interview with Reuters, Gleicher said that US news outlets won’t get a “state controlled” label, even if they’re run by the US government. That’s because Facebook thinks that even state-run news outlets in the US have editorial independence, he said.

Again, country-specific factors such as press freedom are one of the criteria the platform used to assess which outlets are state controlled.

Having said that, recently, Facebook has come under fierce criticism for looking the other way while President Trump has apparently flouted the platform’s rules. CEO Mark Zuckerberg was lambasted after Facebook declined to do anything about the president’s threatening statements on Twitter, Facebook and Instagram.

What the president said about the Black Lives Matter protests over the killing of George Floyd – a Black man who pleaded for his life as a white police officer knelt on his neck for over 8 minutes:

Any difficulty and we will assume control but, when the looting starts, the shooting starts.

The threatening statement was interpreted as a reference to a racist 1960s police chief known for ordering patrols of black neighborhoods with shotguns and dogs during the Civil Rights era.

Twitter flagged Trump’s statement as “glorifying violence”, hiding it from public view unless a user clicks on it. Earlier in that same week, Twitter applied a fact-checking label to the president’s tweets for the first time following the president having accused California of using mail-in ballots to ensure a “rigged election”.

Facebook, on the other hand, didn’t censor the president’s statements, in spite of the company’s s explicit rules against speech that could inspire or incite violence.

Last week, several Facebook staff staged a walkout in protest over the inaction. Protests over CEO Mark Zuckerberg’s refusal to take down Trump’s posts continued into this week. On Monday, moderators joined in on criticism of Zuckerberg’s stance on the issue.

Latest Naked Security podcast

Here’s one for the books: ransomware that’s disguised as a free anti-ransomware decryption tool.

The sample we looked at claims to be a decryptor for the DJVU ransomware, which gets its name from the .djvu extension it appends to files that it’s just scrambled.

You’re invited to put in your “personal ID” and a file extension, presumably to give the program a veneer of legitimacy, but as far as we can see it ignores what you enter, using the dialog simply as a launcher for the encryptor-within–the-decryptor.

If fact, the fake decryptor simply extracts a copy of another program called crab.exe (not to be confused with the GandCrab ransomware family) that’s embedded inside it as a data resource .

The fake decryptor writes crab.exe to your TEMP folder, launches it and then deletes itself.

The crab.exe file is unreconstructed ransomware: it goes through your files looking for matches against a long list of file extensions to encrypt, and scrambles them with a randomly-chosen encryption key.

The extension .djvu, added by the very ransomware that this double-crossing malware claims to be able to fix, is on the list.

So if you are running this in the desperate hope that you might be able to recover from one ransomware attack for for free…

…you’ll end up in a double-whammy situation, with any files that DJVU didn’t yet attack scrambled once, and with any already-encrypted files now scrambled twice.

This malware uses the extension .ZRB, so doubly-encrypted files will now end .djvu.ZRB

After the scrambling finishes, your Windows wallpaper is set to a black background for dramatic effect, and a file called --DECRYPT--ZORAB.txt is added to your desktop to tell you what to do next:

There’s no price shown here, no web page to visit, and no cryptocoin wallet to send any funds to, just a “personal ID” and a pseudo-anonymous Protonmail email address that supposedly puts you in touch with the crooks.

Note that by simply changing a few text strings in their malware and recompiling it, these crooks could easily turn it into a variant that claims to “fix” other ransomware strains – it’s just the window title and the .djvu extension string that target this sample at DJVU victims.

We’re guessing that DJVU was targeted this time because early versions of that malware could be decrypted for free, but it seems that the DJVU crooks made some recent “improvements” to make it harder to unscramble without paying.

As a result, we assume that at least some victims might now be willing to search outside their usual comfort zone for free tools that claim to help, given that the reputable ones they’ve already tried didn’t work.

For what it’s worth, the crab.exe scrambler didn’t seem very well programmed – in our tests it failed to scramble some files for reasons that could easily be avoided (we shan’t say exactly what those reasons are here), and in some directories it managed to scramble its own --DECRYPT--ZORAB.txt ransom note shortly after creating it.

What to do?

We don’t know how this particular sample was distributed, or how many people have run it, but if you have been the victim of one ransomware attack already, please don’t let your guard down in your search for a free tool to recover…

…only to find out you’ve made a bad thing worse.

Ransomware isn’t only about attacks on big companies and corporate networks.

At home, you can protect yourself with some simple precautions:

• Don’t open unexpected attachments, especially on the say-so of the email itself, which could have come from anybody and probably did.
• Don’t click through to unexpected web links or download software you didn’t ask for just because someone you don’t know told you to.
• Get your patches and security updates as soon as you can. Don’t make it easy for the crooks by leaving yourself open to attacks that you could have prevented.
• Look for an anti-virus that includes a real-time filter to stop malicious behaviour before it does any harm, plus a built-in web filter to keep you away from hacked or harmful sites.
• If you’re stuck, ask someone you know and trust instead of hunting further and further afield online on your own.
• Make regular backups so you have a fighting chance of recovering lost or damaged files on your own.

Both the fake decryptor and the ransomware it contains are blocked by Sophos products as Troj/Ransom-FYU. Other names you may here for this threat include Zorab (the name it gives itself) and Zorba, an anagram of that.

Latest Naked Security podcast

END OF SERIES SPECIAL: This week Mark shares why Pablo Escobar’s brother is suing Apple for $2.6b, Greg talks about a malicious ‘Octopus Scanner’ targeting developers on Github and Duck discusses the “Sign in with Apple” account takeover flaw.

Host Anna Brading is joined by Sophos experts Paul Ducklin, Mark Stockley and Greg Iddon.

Listen now!